RE: Flat vs Segmented DMZ's

["Scott, Richard" <Richard.Scott () BestBuy com>]

<snip>
A fairly standard web app has multiple layers: the front-end web server, 
some middleware, perhaps some AAA software, and a database.

So you run a web server. That means it is very likely to get hacked (IIS, 
Apache, Sun ONE - they have all had nasty security bugs). So now your web 
server has an intruder - what can they do? They can almost certainly do 
anything your web app can do. This means the hacker can communicate with 
the other web app systems, via the same channels (and with the same 
authentication) as your web app. Packet-filtering compartmentalization (by 
itself) does not solve this problem. Something like a database proxy that 
enforces read-only access might, however. Also, assuming that _all_ of your 
components are compartmentalized, the hacker may flood one to three 
compartments, but still may not be able to get into your main network. Of 
course, if your database servers are on your main backbone...

I'm often confused why people think that proxies are the answer here.  It
seems you are describing a web site that is for reference only, certainly
not a commerce site with read only access to the database.  


        </snip>
I think a good strategy would involve identifying the risk factors and
limiting that exposure.  Commerce architecture in essence is far more
heavily built upon that standard hosting web sites that just display
content.  Obviously, the first task would be to prevent and screen out
common attacks at the border prior to your web farm.  The next layer would
involve either grouping you app with your web or your app with the database.
This is common due to the connections between these entities.

I always hold the assumption that given the design, should one of your web
servers become compromised, it should be at least more difficult to obtain
further access to the next layer.  Obviously, the attack could use any
protocol you are allowing through your firewall.  The interesting part is
being able to not allow insecure protocols through the firewall and have
adequate detection devices to alert you to anything abnormal.

It's a common myth in the business world that placing a firewall in your DMZ
is the be all and end all for security.  I often see wide open holes that
would not prevent attacks.  The importance of segmentation, is to be able
isolate your network to the point where it could be far more easily to
identify an attack.  If the attack stumbles across a web server and decides
to directly access the database, the firewall should prevent this if it is
not needed.  The attacker then would like to own the application server.
Accordingly, the subset of attacks now available has shrunk, hopefully
because with each layer you are reducing the available protocols.

Here, one could monitor connections to the database that are not part of the
connection pooling behavior, or contains irregular network traffic.
Obviously Irregular network traffic is a big grey area.  However, all the
attack would have to do would be to understand where the security
credentials exist to be able to build a connection to the database, and
understand the schema.  So really, segmentation isn't going to prevent
attacks if your web/app layer is inadequate. 

By the time they have figured out the schema of your database, do obtain
confidential information, I would expect your IR team to have been alerted.
I think the morale of the story is that segmentation offers extra
protection, by limiting the attacks but if the architecture is well
understood, the attacker could compromise a segmented site if the trust
between the segments can be exploited.

If the DMZ was flat, I would expect a compromise on one box would lead to a
compromise of another box on the same DMZ, with as much or less effort than
the first compromise, however, it may not be possible to affect other
systems outside of that flat DMZ boundary, given one could host several
applications in different DMZ's but within each application the servers are
not segmented.

Think of segmentation of DMZ's like a multiple road blocks.  A road leads
in, somehow, it just a matter of knowing how.  The road was built to support
traffic, however, the road blocks provide simple checks to reduce whom can
travel upon those roads.

The biggest step forward for web sites are the availability of attack
detection and prevention devices that are sold to prevent attacks being
executed.  These tools tend to be termed application based intrusion
prevention tools.  To some businesses a defaced web site can mean just as
much revenue lost than stolen data.  

<end rant>

Cheers
r.









_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards